SenseCy is a Cyber Threat Intelligence (CTI) provider based in Israel. SenseCy enables continuous monitoring and early identification of cyber threats through a unique methodology called Virtual HUMINT™ coupled with strong dedicated technology.
In the past few years we have witnessed a growing number of significant data breaches.
The Data Breach Epidemic Report reviews the most significant data breaches that occurred in 2018 and provides our analysis of the major data leaks. It also includes key trends we identified based on ~5B leaked records detected and analyzed by our team.
4,812,840,627 – Total Leaked Records In 2018
1,925,136,251 – Unique Records
24,224,940 – Organizations
53% of all leaked data comes from .com domains
Distribution of “Combo Lists” is the key trend in the 2018 data leaks
Leaked records by region:
APAC – 1.5B records
EMEA – 728M records
LATAM – 34M records
Many “Combo Lists” published in 2018 targeted specific regions, indicating leading interests of hackers’ groupsTHE ANALYSIS PROCESS
In order to identify and analyze the major breaches of 2018, our analysts have been continuously monitoring activities on the Dark Web, in closed hacking communities and in other sources, to uncover indicators of breaches and data leaks.
In the report you will find a summary of the most popular ways hackers use to exploit stolen data, with real-life examples of attacks that exploited leaked records.
Based on our analysis of the leaked data we obtained from several underground sources, we were able to identify several key trends, for example, the increasing distribution of “Combo Lists”, the demand for region specific leaks and countries that had most government data leaked.
ANALYSIS OF EXPLOITATION METHODS
The report also shares the hackers’ perspective, reviewing the most popular ways hackers use to exploit leaked data. These include credential stuffing attacks, brute force attacks, social engineering and email based-attacks. This information is valuable as it can really help organizations prioritize risk and improve their resilience and readiness against these attack methods.
THE BIGGEST DATA BREACHES OF 2018
In the report, you will find the list of the most prominent data breaches that occurred in 2018, and what we can learn from the millions of compromised records and stolen data.
The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, the volume of such discussions decreased and cybercriminals apparently turned to more promising fields of activity, such as mining cryptocurrency and stealing crypto wallets. From time to time, we observed discussions pertaining to POS devices, largely focused around two main subjects:
Trade and sharing of old and known PoS malware samples or source codes, which are neither sophisticated nor efficient in large-scale attacks, for example Alina or Dexter.
Installation of fake, offline PoS terminals in physical locations to steal credit card data of customers who physically purchased there. This type of activity is considered risky since it requires physical access to the terminal and cooperation from additional crooks involved.
Based on these findings, combined with the lack of recent security reports on new PoS malware, one may conclude that attacks on PoS devices are becoming rare and less popular among cybercriminals. Nevertheless, recent evidence from the wild, points that new PoS malware strains have been developed, and attacks on PoS devices have never ceased.
Volume of discussions mentioning PoS over the course of the past two years. It is evident that it the subject still gains a great deal of popularity
The continuation of Dark Web discussions dedicated to PoS malware, was lately also reflected in cyber security media, with reports about the discovery of two new PoS malware strains. The appearance of new PoS malware strains is relevant and concerning not only for retailers, who are naturally the primary victims of this malicious activity, but also for banks and other financial institutions that issue credit and debit cards, as it will be their cards’ details that will be stolen en masse, in the case of a successful remote infection by PoS malware on large retail websites.
In this post we review two POS malwares that have recently caught the public eye, with input from our research team.
GLITCHPOS – THE NEW POS MALWARE, WAS DEVELOPED FROM SCRATCH
GlitchPOS malware gained publicity after a blog post by Talos was published on March 13, 2019. However, as we regularly follow malware trade on underground forums, our researchers have first seen it pop up for sale in mid-February 2019.
According to the analysis of security researchers who obtained the malware samples, it is protected by a VisualBasic packer disguised as a game. The packer decodes the real GlitchPOS payload, written in VisualBasic as well. Additionally, it appears the malware’s code was not modified from a leaked source code of an old malware, but was developed from scratch.
GlitchPOS is a small-sized memory grabber with a limited set of functions, which it performs when communicating with the C&C server, such as exfiltrating credit card numbers from the memory of the infected systems, updating the exclusion list of the scanned processes to avoid detection, and receiving commands from the C&C server in memory or on the disk. Of note, communication between the malware and the C&C server is not encrypted.
A threat actor dubbed edbitss launched the sale of GlitchPOS on a prominent Russian-language forum on February 11, 2019, explaining his product is a RAM scrapper with certain loader capabilities. According to the sales post, the price is US$ 250 for a malware build and US$ 600 for a builder that will create an unlimited number of stubs for the buyer’s use. At some point, after five copies of the malware were allegedly purchased, the seller raised the price of the build to US$ 500, but then reverted it to the original price.
The original GlitchPOS sales thread. Source: Verint DarkAlert
The post content indicates that since the initial publication, the malware is constantly being updated according to the buyers’ comments, as it contains a “changelog” section.
After some complaints were registered regarding the malware, including a backdoor that allows the seller to steal the cards before they are monetized by the malware operators, the forum administrator received from the seller samples of the malware and in the coming days, he will publish his verdict regarding the legitimacy and capabilities of GlitchPOS. If authenticated, GlitchPOS will likely become extremely popular and will be in high demand among cybercriminals, being the first successful PoS malware in recent years.
Of note, GlitchPOS quickly spread to other underground forums, both in the Russian and the English, indicating its potential is high. While some of the publishers appear to be legitimate resellers, other seem to be scammers attempting to sell the malware for a higher price than the original.
DMSNIFF POS – THE “NEW” POS MALWARE HAS BEEN ACTIVE FOR OVER 4 YEARS
According to recent reports that have made this malware publicly known, the DMSniff POS malware appears to have remained undiscovered for at least four years (perhaps even more, according to our research team), and has been actively used by threat actors since at least 2015. Until now, this malware was spotted in breaches of small and medium-sized businesses in the restaurant and entertainment industries. It employs a technique rarely seen in PoS attacks – the Domain Generation Algorithm (DGA), which allows it to create changing lists of command-and-control domains if the old ones are taken down. Thus, the malware can still communicate with the servers and continue its activity.
DMSniff POS can gain an initial foothold on POS devices either by using brute-force attacks against SSH connections, or by detecting existing vulnerabilities in the POS network and exploiting them. The latter vector is particularly simple, since like many other firmware devices, POS terminals tend to be inadequately secured and are frequently out of date.
Once the malware is installed, its purpose is to extract credit card Track 1 and Track 2 data from the targeted system’s memory. The malware also contains a predefined list of processes, to avoid in the process tree. Once credit card data is discovered, the card data (including some of the surrounding memory) is packaged and sent to the C&C. After that, the stolen data is deleted from the malware’s administration panel.
Our research team monitoring cybercriminal activities in the dark web, did not reveal recent discussions or sales offers related to the DMSniff POS malware. However, we did find some brief references, indicating this malware is not new and was in use by hackers since at least 2015. For instance, we found a member of a closed English forum offering the malware for sale in late 2015, for US$ 5,000.
An English forum member offers DMSniff POS for sale in October 2015. Source: Verint Dark Alert
Another mention of DMSniff POS dating from that time, was found published on two Russian- language forums as a module of the infamous Gazavat (also known as Sality) banking Trojan, designed for interception of “dumps,” i.e. credit card information.
DMSniff is advertised as a module of the Gazavat banking Trojan in October 2015. Source: Verint Dark Alert
In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).
Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).
The platform was established in late 2018 and became public on November 19th, 2018. Its Twitter account was opened on December 3, 2018, and since then, it has been tweeting every few days, about new data published on the platform, and additional information regarding revealing information.
The platform received most of its publicity after it published a Russian data leak dubbed “Dark Side of the Kremlin.” The leak was published on January 25, 2019, and dealt with different aspects of Russian operations internally and externally. This includes Russia’s involvement in the fighting in Eastern Ukraine, its ties with the Russian Orthodox Church, and more.
The files included in the “Dark Side of the Kremlin” data leak
Although many view the platform as a payback for Russia’s involvement in the 2016 US presidential elections, the website denies this and claims it is working to uncover information from all over the world. At this time, there has been no official comment by the Russian government about the website, but the owners claim they suffered a cyber-attack against one of their servers.
The platform is a Darknet website, accessible only from a Tor browser. The main reason for this, is to maintain the anonymity of the website’s owners, and it also makes it difficult to take the platform down. Of note, even though this is a Darknet website, the Torrents from which the data can be downloaded are accessible from the Clearnet.
Here is what our researchers discovered while analyzing the platform and its contents.
DDOSECRETS – WHAT’S IN IT, WHO’S BEHIND IT?
The home page of the platform states it aims to “enable a free transmission of data.” The “Collective” behind the platform claims they are not backed by any government or corporation, and their only intention is to provide accessibility to the people.
In the “About” section of the platform, the “Collective” is briefly described, claiming it was formed in 2018, by a group of people, with experience in information-gathering, research and more, who wish to enable the general public to witness their findings. Of note, only two people are actually mentioned – Emma Best, and “The Architect,” who is the group’s technical advisor. Emma Best is a well-known transparency advocate and a journalist, who has been active for a long time, publishing confidential data and helping whistleblowers.
The data on the website is organized into categories, according to geographical areas and sectors. Some of the categories are empty, which may indicate what else is of interest to the group and to expect next.
The Asia section on the platform
Below is a short overview of the different categories and subcategories, and what can be found under each section:
Asia – Contains three subcategories:
Cambodia – contains leaked documents from the Ministry of Foreign Affairs.
China – the only data leak taken from the Ministry of Commerce. It contains information about deals with Eastern European countries, such as Russia, Belarus and Ukraine.
Russia – this subsection includes six data leaks. The first four deal with information stolen both from governmental organizations, such as the Interior Ministry, and the Russian defense exporter Rosoboronexport. The second part, which gained most of the media interest, is “Dark Side of the Kremlin,” described above.
Europe – contains two subsections:
Germany – the data comes from the German Chambers of Commerce and was stolen from their offices in Eastern Europe, including Azerbaijan and Ukraine.
Italy – the data contains documents taken from the Italian Police, about several of their operations, as well as private emails of Deputy Prime Minister Mateo Salvini that were already published in the past.
Middle East/North Africa – includes three subsections:
Azerbaijan – the data leaks are from two government organizations: The Ministry of Communications and IT, and the Special State Protection Service of Azerbaijan.
Turkey – the leaked data was stolen from the Turkey National Police (EGM) and from the ruling Justice and Development Party (AKP.)
Syria – contains mostly governmental emails, some of which were released previously.
South America – includes two subsections:
Argentina – two leaks released by LeakyMails regarding private communications of Argentinean officials.
Brazil – includes documents about a government corruption investigation that involved the CIA.
North America – contains 35 different data leaks, from government agencies and private companies. Most of these organizations and companies are connected to surveillance programs and operations, and therefore this platform targets them specifically.
Australia – contains one leak, “Australia Queensland,” which incorporates different files stolen from Australian organizations. Much of the leak comprises of financial and commercial data about Australian companies.
Africa – includes one data leak named “Chamber of Mines of South Africa”, which contains data regarding the mining industry in the country.
International – includes two data leaks: one of documents leaked by the famous American whistleblower, Edward Snowden, and the other, from the organization of Security and Cooperation in Europe, discussing operations and sections in regard to different issues, such as the Ukrainian
State-Sponsored – information about data leaked by state-sponsored APT groups and other information connected to their operations. This includes emails of officials from the Democratic Party, allegedly stolen by Russian state sponsored groups, or internal data stolen by North Korean hackers from Sony.
Corporations – this subcategory includes two types of data leaks. The first contains intellectual property stolen from private companies, such as Hacking Team, Gamma, Stratfor, Time magazine, and more. All of this data was previously published online and gained much media attention. The second contains different credentials’ data leaks from companies such as LinkedIn, Dropbox, Ashley Madison and more. All of these are well-known leaks, and all are more than two years old.
Insurance releases – information stolen from insurance firms.
Research – the data includes interviews and research on CIA operations, such as an assassination program in Vietnam and Project MKUltra (a CIA experiment that took place in the 1950s and 60s.) Most of this information is very old and was already published.
WikiLeaks – includes internal information and correspondence of WikiLeaks.
MISC – contains different leaks from various sources that do not fall under any other category. For example, one data leak includes documents confiscated after the Iranian revolution in 1979, talking about American espionage operations in the country. Further leaks contain information obtained by the notorious Darknet marketplace, Silk Road, etc.
DDOSECRETS – WHAT’S THE REAL VALUE OF THE DATA LEAKED – THE RESEARCHERS’ VIEW
After analyzing the platform, we can say that most of the information there is not new and is at least a few years old. The platform includes even older data leaks, such as the takeover of the American Embassy in Teheran in 1979. Much of the data has been previously leaked by WikiLeaks, or on other data-sharing platforms, and does not provide any new information. In addition, the credentials data leaks included on the platform, are also old and most of them were published at least two years ago. Naturally, this lowers the value of the published data.
With regard to the material itself, it seems they have a specific interest in Eastern Europe and former USSR countries.
They also have a specific interest in countries, parties and politicians that appear to be on the right side of the political map. This includes, for example, files connected to Donald Trump and the Lega Nord party and its leader, Matteo Salvini, from Italy.
In terms of leaks from the private sector, the platform focuses mostly on companies that deal with intelligence-gathering and surveillance. This also applies to some governmental organizations, whose data was published on the platform, that are connected to intelligence-gathering and surveillance. The motivation behind targeting such organizations is the desire of the platform’s manager to promote the value of privacy and human rights issues.
To conclude, the DDoSecrets platform has already amassed a substantial amount of data, and continues to add more and more data over short periods of time. Even though much of the information published on this platform is old and was previously published on other platforms, it still represents a large repository comprising of many leaks from different places. That said, the sheer number of documents and the not very user-friendly platform, make it difficult to analyze the information. We estimate that more interesting information will be found as we and other security researchers, continue to investigate the information it contains.
On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents.
TDO’s tweet announcing the hack, as collected by the Verint Webint 7.5 system. The Twitter account has been suspended
TDO’s Calculated Breach Announcement and Social Media Campaign
The Dark Overlord first announced the existence of the leaked documents on the text-sharing platform, Pastebin, on December 31, 2018. The announcement claimed the group has obtained a batch of 18,000 documents related to the 9/11 terror attacks, which they referred to as the “9/11 Papers.” According to the group, they successfully breached the network of an unnamed US company, and exfiltrated a significant volume of sensitive data connected to the 9/11 litigation process.
Excerpt from the long paste where TDO announces its intention to extort money from its victims, and makes its motivation explicit
Following the alleged hack, TDO conducted an aggressive money extortion operation on social media, targeting the impacted organizations, mainly airline companies, solicitors’ firms, global insurers, government agencies, and others.
The Guessing Game – Discovering the Breach Origin
A spokesperson for Hiscox Syndicates Ltd. (one of the extorted companies) suggested the hackers had compromised a law firm that advised the company, and likely exfiltrated files related to the litigation around the 9/11 attacks from their servers. Several other companies stated they had found no evidence of a security breach impacting their internal networks.
TDO threatened to release compromising documents that may lead to further liability, should their demands not be met. TDO also established a public auction system, through which anyone can contribute Bitcoins to a TDO-controlled wallet to see more documents published. Moreover, they are also selling the stolen data on an elite Darknet hacking forum we monitor.
The Carefully Planned Release of the Leaked Data
In the first paste, TDO also published a link to download the entire 9/11 World Trade Center litigation archive. The archive is encrypted with a strong AES encryption function using the VeraCrypt open-source utility. On January 2, 2019, to prove the authenticity of the documents in their possession, TDO shared the decryption key for the ‘Preview_Documents’ folder, making it a public domain. Upon verification, the documents appeared to be indeed authentic.
Overview of the files contained in the ‘Preview_Documents’ folder (left), and the content of the ‘00052249 DOC’ file (right)
On January 4, 2019, TDO released the decryption key for another batch, which is comprised of approximately 500 files. Furthermore, they also released three additional batches, named “Checkpoint 05,” “Checkpoint 06,” and “Checkpoint 07,” (~150 additional files). Apparently, these files largely consist of legal documents and email correspondences between legal firms and other entities.
In a subsequent extremely threatening blog post, TDO directly addressed US government organizations, notably the Federal Aviation Administration (FAA), the Transportation Security Administration (TSA), and the FBI, among others, to push them to meet their demands before the situation became “tragic.” In this post, we also detected sporadic spelling mistakes (e.g. ‘tragick’ instead of ‘tragic,’ and ‘choise’ instead of ‘choice’), possibly used as false flags.
We are still processing the great volume of leaked data, but our initial assessment is that the sensitivity of the data published so far has been deliberately inflated by TDO, through a highly professional marketing campaign. We will closely monitor TDO’s media outlets for further publications, and thus test our hypothesis.
Proactively Monitoring TDO – What Can We Learn from Their Previous Activities?
The Dark Overlord is a highly-skilled cybercrime actor (possibly a well-structured cybercrime organization) active since at least June 2016. TDO entered the public spotlight following the 2017 hack of Larson Studios, and the subsequent release of an entire season of the TV show “Orange is the New Black”. TDO claimed the release of the season was to punish Larson for collaborating with the FBI, violating their agreement.
We have closely monitored TDO’s criminal activity since its very inception, infiltrating underground communities where it is most active, and following its social media footprints, to profile the threat actor’s modus operandi and assess the threat level it poses to organizations worldwide.
Example of TDO sales posts on a Darknet forum and marketplaces in recent years. Source: Verint DarkAlert
The threat actor has been prevalently active on Darknet marketplaces and hacking forums, where he tries to sell ‘private’ databases (databases that are not in the public domain yet), but also other goods, such as software source code. In this regard, we recently detected products they sell on an elite hacking forum we monitor, where the group has rapidly achieved a VIP status. In fact, an entire forum room is now dedicated to their sales.
With regards to the “9/11 Papers” case, TDO used a dedicated Twitter profile, created in December 2018, to put pressure on the impacted parties by gaining as much visibility as possible. Twitter soon suspended the account. As a result, TDO had initially moved to Reddit and after being banned from there too, they eventually moved to the blogging and social networking website Steemit (Blockchain-enabled) for maintaining a more stable communication channel.
What Will TDO do next – a CTI assessment
We assess, with a high level of confidence, that the documents possessed by TDO are authentic, and that the threat actor will continue to release further batches from the archive. Nonetheless, we also estimate that the sensitivity level of these documents might be calculatedly inflated by the threat actor via a sophisticated social media campaign attempting to capitalize on the hack they conducted, by leveraging 9/11-related conspiracy theories.
When evaluating this incident, the simple revision of the OSINT publications is not sufficient in order to build a complete intelligence picture. It is necessary to extend the threat visibility by employing additional intelligence methodologies. The combination and comparison of intelligence findings collected by our Cyber Threat Intelligence (CTI) analysts over the course of the years (such as historical data about the TDO group and their underground activities, assessment of their modus operandi and comparison with other attacks of the same type, analysis of the chatter regarding the subject on closed hacking communities, etc.), is crucial to gathering and creating piece by piece, the whole picture of this incident and establishing its credibility and threat levels.
Cyber Threat Intelligence plays a critical role in providing clear threat visibility and developing capabilities for a proactive cyber defense strategy. CTI is a critical layer in this proactive approach, with the purpose of expanding the threat visibility of any organization.
In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province.The whole database, containing 300 million pieces of personal data, such as full names, addresses and telephone numbers, was offered for 2 BTC (~ US$ 4,000), while a test sample of 100,000 lines was charged 0.01 BTC (~ US$ 40).
A Chinese Darknet forum user offers the SF Express database for sale
These two incidents received much attention on official Chinese media, as well as in web security blogs, and coverage has sparked unprecedented discussions regarding the Darknet and its perils in general. For example, the web security blog Security Geek, dedicated its quarterly report, published in late October, to the Darknet, offering various measures of protection.
Activities on a prominent Chinese Darknet forum, which functions as a black online marketplace, have indeed intensified in recent months, facilitating the sale of personal data in a designated section dedicated to “leaks and databases.” All types of personal information found in breached, leaked or stolen databases from different sector can be found in that section, including, but not limited to, banking (accounts and loans), education (student lists at schools and universities, including parents’ lists), health (personal data of patients and doctors), government (personal information of officials) and property related data (houses and vehicles.)
“Big customers” of the four largest Chinese banks, containing 212,000 lines of data
Personal data of government officials
The fact that the overwhelming majority of these databases contain domestic data, namely personal information of citizens of the People’s Republic of China, and only a fraction of those is personal data of non-Chinese nationalities, could explain the wide attention the subject is currently receiving in China. Judging from previous government reactions to online trends, and based on the growth in public attention to the topic, and criminal activities on the forums, the authorities are more than likely to take measures and halt activities on these forums.
Furthermore, online chatter about the Darknet outside of the Darknet, whether it be in mainstream media, social networks, clear web forums or designated QQ or Telegram groups, is also on the rise. The term 暗网 (a shortened abbreviation for the term “Darknet”) has also become an idiomatic word in modern Chinese, used more and more by people not directly involved in Chinese Darknet forums.
The increase of both media and public attention to the Darknet is a relatively new phenomenon in China. State control over the Internet is probably the strictest in the world, which results in relative inaccessibility to non-Chinese networks in general and to the TOR network in particular. This results in a noticeably small amount of online activity in the Chinese language over the Darknet, especially when considering the huge size of China’s Internet market and Chinese, as one of the most commonly-used languages on the Internet.
Furthermore, many users who write in Chinese on Darknet platforms and/or are active on Chinese-language Darknet platforms are not citizens of the People’s Republic of China. They are members of other Chinese communities around the world (Hong Kong, Taiwan and more), which makes the current change even more striking.
PyLocky represents a new ransomware strain that was detected in the wild in late July 2018, and whose volume of infections increased throughout the month of August. The malware is usually distributed through malspam emails claiming to link to a fake payment invoice, and it features advanced anti-detection and anti-sandbox capabilities. Notably, infection telemetry data shows that PyLocky mainly targeted France and German cyberspace, but ransom notes also exist in Italian and Korean.
On September 11, 2018, we detected the leakage of PyLocky source code on Pastebin. Thus far, the incident has not received media attention. However, the paste was viewed by over 2,500 users. Therefore, our assessment is that this leakage might lower the barrier to entry for wannabe cybercriminals, possibly leading to an increase in malspam campaigns distributing this malware strain in the future.
PyLocky is a new strain of ransomware written in the Python scripting language, and it apparently attempts to exploit the notoriety of the infamous Locky ransomware – one of the most prolific ransomware families in 2017. This expedient is possibly employed to appear as a more substantial threat to victims, despite being totally unrelated to the original Locky ransomware. Reportedly, the malware first appeared in the wild at the end of July 2018, while subsequent distribution campaigns were found to primarily target French and German businesses via weaponized emails in August. Moreover, the ransom note is written in four different languages – French, English, Italian, and Korean – possibly indicating that the malware operators plan to target more geographies in future campaigns.
Telemetry for PyLocky infections registered on August 24. Source: TrendMicro
The malware is typically distributed through malspam emails, purporting to be payment invoice messages (a prevalent social engineering method used in numerous malspam campaigns), and enticing the victim into clicking on a malicious URL link which, in turn, triggers the infection process.
Example of a weaponized email targeting French users in early August 2018
Notably, the malicious URL leads to a ZIP file containing both malware components and the executable itself. Upon execution, the malware will encrypt a wide list of over 150 hardcoded file extensions, leveraging the PyCrypto library’s 3DES (Triple DES) cipher, thus establishing communication with its C&C server.
Anti-Detection, Anti-Sandbox Capabilities
PyLocky implements an advanced anti-detection capability, using a combination of Inno Setup Installer and PyInstaller, two legitimate open source programs. The technique hinders static malware analysis, as well as machine learning-based AV software. Notably, other ransomware strains, like Cerber, implemented analogous techniques in the past. Furthermore, the malware also features an anti-sandbox capability, remaining inactive for over 11.5 days should it detect that the system’s total visible memory size is smaller than 4GB, a symptom of being in a sandbox environment.
PyLocky Source Code Leaked on Pastebin
On September 11, 2018 (3:43:21 PM GMT +3), by means of our Dark Alert system, we detected the leakage of PyLocky source code on the Pastebin text-sharing platform. The code was published by an unidentified actor, who accessed the platform as a “Guest,” and was published untitled. The code consists of 226 lines written in Python, and was seen by 3,000 viewers, as of the time of writing.
The paste in which the PyLocky ransomware’s source code was leaked. Source: Verint DarkAlert
Of note, we did not detect any chatter regarding this leakage on OSINT, or on Dark Web sources that we monitor, apart from an isolated discussion on Reddit, where a link to the original paste was shared within a hacking subreddit. Nonetheless, as analogous past cases suggest (for example, see the Mirai botnet source code leakage in late 2016, which led to devastating DDoS attacks), the introduction of malware source code into the public sphere generally leads to a widespread adoption of the code, or parts of it, by a variety of threat actors. This consequently enables less skilled actors, such as the so-called “script kiddies,” to mount cyber-attacks with relative effortlessness, thus leading to a significant increase in malspam campaigns and infections.
In light of the recent source code leakage, the significant visibility the paste accrued, and the absence of an available decryptor for PyLocky at this time, we assess with medium confidence that we will observe a proliferation of this ransomware strain in the future, making it a potential threat to businesses and individuals alike.
The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018.
Our monitoring revealed that since its discovery, various threat actors in the Russian underground hacking scene have shown a keen interest in this particular vulnerability, indicating their strong intent to exploit it in attacks. Since then, we have observed exploits for this vulnerability incorporated into several prominent attack tools used by Russian threat actors, including the RIG Exploit Kit and the Threadkit package of Office exploits indicating that cybercriminals see it as a profitable attack vector. Concurrently, security reports state the exploitation of this vulnerability has been witnessed in additional attack campaigns.
The CVE-2018-8174 Exploit
The vulnerability exists in the VBScript – incorporated both in the Internet Explorer browser and in Microsoft Office software. Being a use-after-free (UAF) memory vulnerability, it is particularly dangerous because of the enabling of the execution of arbitrary code, or, in some cases, full remote code execution, due to access to read and write primitives.
The APT attack spotted in China, later attributed to North Korean threat actors, used the URL Moniker technique to load the VisualBasic exploit leveraging CVE-2017-8174 into the Office process. Unlike previously-known Office exploits that used the same technique, the URL link in the current exploit calls the mshtml.dll, which is a library that contains the Visual Basic engine in Internet Explorer. Thus, albeit delivered via a Word document as the initial attack vector, the exploit takes advantage of a vulnerability in VBScript, and not in Microsoft Word.
This attack vector allows the attackers to incorporate Internet Explorer Browser exploits directly into Office documents, enabling them to use it via spear-phishing and drive-by campaigns. Immediately upon its discovery, it was estimated that the vulnerability would be exploited in multiple attack campaigns in the near future.
The in-the wild exploit consisted of three stages:
Delivery of a malicious Word document
Once opened, an HTML page containing a VBScript code is downloaded to the victim’s machine
A UAF vulnerability is triggered, and shellcode is executed
Microsoft Office alert pops-up when opening the crafted document
In less than two weeks, the exploit for CVE-2018-8174 was incorporated into the Metasploit framework. At the same time, we have spotted vigorous chatter regarding this vulnerability emerging on underground sources, in particular Russian-languages ones. Threat actors sought to purchase the exploit, and others shared PoC samples for the explicit purpose of their analysis and further modification.
CVE-2018-8174 exploit is mentioned on underground chatter. Source: Verint DarkAlert
Moreover, and in accordance with predictions made by security researchers, exploitation of this vulnerability was included in some of the most popular attack tools on the Russian underground. Of note, operators of malware targeting both Microsoft Office and IE browser announced the addition of the exploit to their attack tools, indicating that the malicious payload is to be delivered by one of these two vulnerable software types. As explained above, the attack vector can be a malicious Microsoft Office file that will trigger the launch of IE browser, even if not configured as the default browser, or a crafted URL link directly provided to the target.
We detected an exploit for CVE-2018-8174 added to the following attack tools traded on the Russian underground:
The RIG campaign’s infection chain. Source: Trend Micro
The Threadkit Office exploits package – the modified version that includes the CVE-2018-8174 exploit is yet to be discovered in the wild. However, the malware’s author already announced its incorporation several days ago. The update for the kit will cost US$ 400.
Another Office exploits package – the new version includes exploits for the following vulnerabilities: CVE-2018-8174, CVE-2018-0802, CVE-2017-11882 and CVE-2017-8570.
Exploit for CVE-2018-8174 is added to another office exploitation package. Source: Verint Dark Alert